Hi all, I have a group of IPs (172.16.168.1-172.16.168.100) and I want those IPs to have access to port 80 and 53 only, with all other ports blocked. Is this possible with Shorewall rules? If anyone can point me in the right direction or let me know how to do this, I will be very grateful. Kind Regards, David.
Try creating a rule such as REJECT loc:172.16.168.0/24 net ALLOW loc:172.16.168.0/24 net tcp 53,80 Not sure if this is the most elegant solution, but should do the trick.. -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of David T. Thomas, M.D. Sent: Tuesday, August 09, 2005 8:02 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Blocking all but port 80 and 53 Hi all, I have a group of IPs (172.16.168.1-172.16.168.100) and I want those IPs to have access to port 80 and 53 only, with all other ports blocked. Is this possible with Shorewall rules? If anyone can point me in the right direction or let me know how to do this, I will be very grateful. Kind Regards, David.
shorewall mailing list wrote:> Try creating a rule such as > > > > REJECT loc:172.16.168.0/24 net > > ALLOW loc:172.16.168.0/24 net tcp 53,80 > > > > Not sure if this is the most elegant solution, but should do the trickā¦. >Two things. Shorewall rules are order-sensitive. So the first rule totally masks the second one. If you reverse the two rules then there is probably still a problem since TCP is not used in DNS except in two cases: a) When the response is longer than 512 bytes. b) When doing a zone transfer. So you need three rules. Accept TCP 80. Accept UDP 53. REJECT all. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
At least one of us knows what we''re doing here hehe ;)>> TCP is not used in DNS except in two cases: >> >> a) When the response is longer than 512 bytes. >> b) When doing a zone transfer. >> >> So you need three rules.>> Accept TCP 80. >> Accept UDP 53. >> REJECT all.-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
but to reject everything (all) is already in the "policy" file. so just say what you wanna open in the "rules" file, that''s what i do, i hope i do the right thing xD On 8/10/05, shorewall mailing list <shorewall@gmail.com> wrote:> At least one of us knows what we''re doing here hehe ;) > > > >> TCP is not used in DNS except in two cases: > >> > >> a) When the response is longer than 512 bytes. > >> b) When doing a zone transfer. > >> > >> So you need three rules. > > >> Accept TCP 80. > >> Accept UDP 53. > >> REJECT all. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-- Gr. SteZZz ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
SteZZz wrote:> but to reject everything (all) is already in the "policy" file. > so just say what you wanna open in the "rules" file, that''s what i do, > i hope i do the right thing xDYou are assuming facts not in evidence. The original poster hasn''t given us a clue about which zone this "group of IPs (172.16.168.1-172.16.168.100)" is in, which zone he is trying to limit access to, or how he has configured policies between those zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key